-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
issue with vpn_gateway and amazon_side_asn #5263
Comments
@dhermans For these existing VGWs with the 7224 ASN did you |
If you use the AWS console and create a VGW and choose the "Amazon default ASN", it will set the ASN to 64512. Therefore, it looks like setting a VGW to 7224 is no longer allowed. Therefore, even if the resource was modified so that 7224 would be an accepted value, I'm guessing that AWS would still reject the request. |
@ewbankkit hi If i then 'plan' the imported TF code then it fails validation Seems messy but i could get around it with a 'pre 1 july' module which doesn't specify the ASN and a different module which does for 'post 1 July'
@heycasey hope it's clearer? i'm not trying to create a VGW with 7224, you're right - Amazon won't allow it. I'm wanting the same terraform module to manage VGW created before / after 1 July (if possible) |
OK, I understand the situation. We probably need to handle both 7224 and 9059 ASNs as these are both Amazon reserved. |
@ewbankkit thanks! standing by to test |
@ewbankkit When is this fix planned to be merge into master? or how can I fix it for now locally ? |
Accepting the legacy 7224 and 9059 ASNs for the |
Could you also extend the logic to accept the legacy 17493 and 10124 ASN values? Those were the default assigned ASNs for VGWs in Singapore and Tokyo prior to 2018-06-30 (documented in the Note under the Virtual Private Gateway section).
|
Seems reasonable -- I'll reopen this issue |
I should be able to address this tomorrow. |
So, this ticket is not planned to be in v1.30.0 ? |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Hi team,
thanks for terraform - it's awesome
I'd like to bring to light an issue with this commited PR:
#1888
This PR quite correctly limits the acceptable ASN that can be added in this field to match the console.
This is in line with the AWS direct connect Faq:
https://aws.amazon.com/directconnect/faqs/
If you are using a private ASN, it must be in the 64512 to 65535 range.
Amazon implemented this change (without warning except the FAQ page update) on July 1. All good - we found a new ASN in the acceptable range and can create new VPN gateway using that ASN.
The issue is that the we have MANY vpn_gateway created before 1 July that use the prior 'default' Amazon peering ASN of 7224
terraform can no longer update these 'pre July 1' stacks due to the now invalid ASN:
Error: module.xxx-vpc.aws_vpn_gateway.xxx-vgw: "amazon_side_asn" ("7222") must be in the range 64512 to 65534 or 4200000000 to 4294967294
We can't easily change the ASN as that will cause an outage while the direct connect peering is changed.
Can the provider be amended to accept 7224 if the vpn_gateway already exists ( as this was the old amazon default and there may be many peers using this ) and enforce 64512 to 65534 on create?
Thanks!
cc: @ewbankkit
The text was updated successfully, but these errors were encountered: